Your message dated Tue, 17 Dec 2019 10:06:11 +0100
with message-id <[email protected]>
and subject line Re: cyrus-imapd: fix for CVE-2019-19783
has caused the Debian Bug report #945122,
regarding buster-pu: package cyrus-imapd/3.0.8-6+deb10u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
945122: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945122
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu
Hi,
cyrus-imapd is vulnerable to CVE-2019-18928: privilege escalation on HTTP
request. This is a minor vulnerability since authentication is already
vulnerable when using non-SSL connection. However, this little patch
fixes the problem.
Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index 8023011..b011c8f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+cyrus-imapd (3.0.8-6+deb10u2) buster; urgency=high
+
+ * Fix privilege escalation on HTTP request (Closes: CVE-2019-18928)
+
+ -- Xavier Guimard <[email protected]> Tue, 19 Nov 2019 22:21:32 +0100
+
cyrus-imapd (3.0.8-6+deb10u1) buster; urgency=medium
* Add patch to fix data loss on upgrade from versions ≤ 3.0.0
diff --git a/debian/patches/CVE-2019-18928.patch
b/debian/patches/CVE-2019-18928.patch
new file mode 100644
index 0000000..41bbad8
--- /dev/null
+++ b/debian/patches/CVE-2019-18928.patch
@@ -0,0 +1,38 @@
+Description: fix privilege escalation
+ Only allow reuse of auth creds on a persistent connection against a backend
+ server in a Murder
+Author: Ken Murchison <[email protected]>
+Origin: upstream, https://github.com/cyrusimap/cyrus-imapd/commit/e675bf7
+Bug: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18928
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard <[email protected]>
+Last-Update: 2019-11-19
+
+--- a/imap/httpd.c
++++ b/imap/httpd.c
+@@ -1729,6 +1729,25 @@
+ txn->auth_chal.scheme = NULL;
+ }
+
++ /* Drop auth credentials, if not a backend in a Murder */
++ else if (!config_mupdate_server ||
!config_getstring(IMAPOPT_PROXYSERVERS)) {
++ syslog(LOG_DEBUG, "drop auth creds");
++
++ free(httpd_userid);
++ httpd_userid = NULL;
++
++ free(httpd_extrafolder);
++ httpd_extrafolder = NULL;
++
++ free(httpd_extradomain);
++ httpd_extradomain = NULL;
++
++ if (httpd_authstate) {
++ auth_freestate(httpd_authstate);
++ httpd_authstate = NULL;
++ }
++ }
++
+ /* Perform proxy authorization, if necessary */
+ else if (saslprops.authid &&
+ (hdr = spool_getheader(txn->req_hdrs, "Authorize-As")) &&
diff --git a/debian/patches/series b/debian/patches/series
index e9631e4..c66f980 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -23,3 +23,4 @@
0023-fix-memory-leak-on-ldap-failure.patch
CVE-2019-11356.patch
0024-dont-skip-records-with-modseq-0.patch
+CVE-2019-18928.patch
--- End Message ---
--- Begin Message ---
Will be fixed in a DSA
Le 17 décembre 2019 08:58:58 GMT+01:00, Moritz Muehlenhoff <[email protected]> a
écrit :
>On Mon, Dec 16, 2019 at 11:34:35PM +0100, Xavier wrote:
>> Hi all,
>>
>> I made a mistake; fix for cyrus-3.0 includes also fix for
>CVE-2019-18928
>> (no-dsa) which was not already accepted by release.debian.org (next
>> point release: #945122)
>>
>> What can we do?
>> * leave proposed package like this (2 d/ch entries) and close
>#945122
>> * reject it and:
>> * keep only CVE-2019-19783 fix
>> * set only one d/ch entry with the 2 patches
>
>That's fine, we can piggyback security issues formerly marked as no-dsa
>if something more severe arises, that's normal procedure. Just close
>the
>spu bug to avoid confusion for stable release managers.
>
>Cheers,
> Moritz
--
Envoyé de mon appareil Android avec Courriel K-9 Mail. Veuillez excuser ma
brièveté.
--- End Message ---
